Hacker News new | ask | show | jobs
by vacri 3291 days ago
Debian Stable is just that: stable. The default browser is an Extended Support Release (marked as such by the vendor, not Debian), so it'll stick around longer.

An ESR is more useful for use cases like education or companies that roll their own SOEs and like to document things for users. Browsers love randomly changing the UI or other behaviour on a whim (and on a 6-week cycle). So, it's a browser's ESR by default, and you can always install another one.
1 comments
jancsika 3291 days ago
> The default browser is an Extended Support Release (marked as such by the vendor, not Debian), so it'll stick around longer.

But Debian Jessie was the "Stable" version for roughly two years. Mozilla's end-of-life for ESR 52 is on June 26, 2018. If Stretch has the same lifetime as Jessie, that leaves roughly one year during which Firefox ESR 52 will be end-of-life.

So how will Debian Stretch remain stable during a period when it is shipping an end-of-life Firefox for which-- as Mozilla states-- "no further updates will be offered for that version?"

edit: typo

link
vbernat 3291 days ago
This is the case of many software. Usually, distribution support is longer than upstream. Therefore, distributors have to be backport the patches. That's what it is done for Debian.

They are few exceptions: any Oracle product (Oracle doesn't provide security patches and discourage people from making them) and Chromium (patches are too big) and Firefox (idem). For Chromium, the exception is to use the latest version. For Firefox, the exception is to switch to the next ESR once the current one becomes unmaintained.

link
jancsika 3290 days ago
Thanks, I didn't realize that.

Do you know if these exceptions are documented somewhere deep in the Debian doc maze?

link
jwilk 3290 days ago
It's kinda documented in release notes:

https://www.debian.org/releases/stretch/amd64/release-notes/...

They don't mention the Oracle debacle, though.

link
voltagex_ 3289 days ago
>Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet.

Jeez. I guess this means most people will be using other node binaries in production.

link
vbernat 3290 days ago
If they are, I don't know where.
link